• Document Up to Date
  • Updated On 4.0.0

Permission Mappings

The permission mappings configuration file allows you to assign permissions to folders and objects in a Site giving specific Roles rights to the object. The permission mappings config file contains the permissions mappings for the roles defined in the role mappings config file. When applying permissions to Roles, rights are granted by adding permissions inside the tag <allowed-permissions>. Absence of permissions means the permission is denied. Rules have a regex expression that govern the scope of the permissions assigned. A list of available permissions that can be granted to Roles is available after the sample configuration file.

Permissions are defined per:
site > role > rule

For example, to grant the role component_author the ability to read/write components and read-only to everything else:

 1<role name="component_author">
 2  <rule regex="/site/website/.*">
 3    <allowed-permissions>
 4      <permission>Read</permission>
 5    </allowed-permissions>
 6  </rule>
 7  <rule regex="/site/components/.*">
 8    <allowed-permissions>
 9      <permission>Read</permission>
10      <permission>Write</permission>
11      <permission>Create Content</permission>
12      <permission>Create Folder</permission>
13    </allowed-permissions>
14  </rule>
15  <rule regex="/static-assets/.*">
16    <allowed-permissions>
17      <permission>Read</permission>
18    </allowed-permissions>
19  </rule>
20</role>

A regex of “~DASHBOARD~” governs view access to the publishing workflow related dashboard widgets:

  • Items Waiting For Approval
  • Approved Scheduled Items
  • Recently Published

To grant a role the ability to view these dashboard widgets, simply grant the role the permission Publish to the scope ~DASHBOARD~. For example:

<rule regex="~DASHBOARD~">
  <allowed-permissions>
    <permission>Publish</permission>
  </allowed-permissions>
</rule>

To modify/view the permission mappings for your site in Studio, click on projectTools at the bottom of the Sidebar, then click on Configurations and select Permissions Mapping from the list.

Configurations - Open Permission Mappings

Sample

Here’s a sample Permission Mappings Configuration file (click on the triangle on the left to expand/collapse):

Sample "permission-mappings-config.xml"
  1<?xml version="1.0" encoding="UTF-8"?>
  2<!--
  3  ~ Copyright (C) 2007-2022 Crafter Software Corporation. All Rights Reserved.
  4  ~
  5  ~ This program is free software: you can redistribute it and/or modify
  6  ~ it under the terms of the GNU General Public License version 3 as published by
  7  ~ the Free Software Foundation.
  8  ~
  9  ~ This program is distributed in the hope that it will be useful,
 10  ~ but WITHOUT ANY WARRANTY; without even the implied warranty of
 11  ~ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 12  ~ GNU General Public License for more details.
 13  ~
 14  ~ You should have received a copy of the GNU General Public License
 15  ~ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 16  -->
 17
 18<!-- permission-mappings-config.xml
 19
 20  This files contains the permissions mappings for the roles defined in
 21  role-mappings-config.xml.
 22
 23  Permissions are defined per:
 24  site > role > rule
 25
 26  Rules have a regex expression that govern the scope of the permissions assigned.
 27
 28  Permissions are:
 29  - Read
 30  - Write
 31  - Create Content
 32  - Create Folder
 33  - Create Content Type
 34  - Publish
 35
 36  Absence of permissions means the permission is denied.
 37
 38  For example, to grant the role component_author the ability to read/write
 39  components and read-only to everything else:
 40
 41      <role name="author">
 42          <rule regex="/site/website/.*">
 43            <allowed-permissions>
 44              <permission>Read</permission>
 45            </allowed-permissions>
 46          </rule>
 47          <rule regex="/site/components/.*">
 48            <allowed-permissions>
 49              <permission>Read</permission>
 50              <permission>Write</permission>
 51              <permission>Create Content</permission>
 52              <permission>Create Folder</permission>
 53            </allowed-permissions>
 54          </rule>
 55          <rule regex="/static-assets/.*">
 56            <allowed-permissions>
 57              <permission>Read</permission>
 58            </allowed-permissions>
 59          </rule>
 60      </role>
 61
 62  A regex of "~DASHBOARD~" governs view access to the publishing workflow
 63  related dashboard widgets:
 64  - Items Waiting For Approval
 65  - Approved Scheduled Items
 66  - Recently Published
 67
 68  To grant a role the ability to view these dashboard widgets, simple grant
 69  the role the permission Publish to the scope ~DASHBOARD~. For example:
 70
 71      <rule regex="~DASHBOARD~">
 72        <allowed-permissions>
 73          <permission>Publish</permission>
 74        </allowed-permissions>
 75      </rule>
 76
 77-->
 78<permissions>
 79    <role name="author">
 80        <rule regex="/site/website/.*">
 81            <allowed-permissions>
 82                <permission>content_read</permission>
 83                <permission>content_write</permission>
 84                <permission>content_create</permission>
 85                <permission>folder_create</permission>
 86                <permission>list_cmis</permission>
 87                <permission>search_cmis</permission>
 88                <permission>clone_content_cmis</permission>
 89                <permission>upload_content_cmis</permission>
 90                <permission>get_children</permission>
 91            </allowed-permissions>
 92        </rule>
 93        <rule regex="/site/components|/site/components/.*">
 94            <allowed-permissions>
 95                <permission>content_read</permission>
 96                <permission>content_write</permission>
 97                <permission>content_create</permission>
 98                <permission>folder_create</permission>
 99                <permission>list_cmis</permission>
100                <permission>search_cmis</permission>
101                <permission>clone_content_cmis</permission>
102                <permission>upload_content_cmis</permission>
103                <permission>get_children</permission>
104            </allowed-permissions>
105        </rule>
106        <rule regex="/static-assets|/static-assets/.*">
107            <allowed-permissions>
108                <permission>content_read</permission>
109                <permission>content_write</permission>
110                <permission>content_create</permission>
111                <permission>folder_create</permission>
112                <permission>list_cmis</permission>
113                <permission>search_cmis</permission>
114                <permission>clone_content_cmis</permission>
115                <permission>upload_content_cmis</permission>
116                <permission>get_children</permission>
117            </allowed-permissions>
118        </rule>
119        <rule regex=".*">
120            <allowed-permissions>
121                <permission>content_read</permission>
122                <permission>S3 Read</permission>
123                <permission>S3 Write</permission>
124                <permission>webdav_read</permission>
125                <permission>webdav_write</permission>
126                <permission>list_plugins</permission>
127                <permission>get_children</permission>
128                <permission>publish_status</permission>
129            </allowed-permissions>
130        </rule>
131    </role>
132    <role name="publisher">
133        <rule regex="/site/.*">
134            <allowed-permissions>
135                <permission>content_read</permission>
136                <permission>content_write</permission>
137                <permission>content_create</permission>
138                <permission>folder_create</permission>
139                <permission>publish</permission>
140                <permission>get_publishing_queue</permission>
141                <permission>cancel_publish</permission>
142                <permission>list_cmis</permission>
143                <permission>search_cmis</permission>
144                <permission>clone_content_cmis</permission>
145                <permission>upload_content_cmis</permission>
146                <permission>get_children</permission>
147            </allowed-permissions>
148        </rule>
149        <rule regex="^/site/(?!website/index\.xml)(.*)">
150            <allowed-permissions>
151                <permission>content_read</permission>
152                <permission>content_delete</permission>
153            </allowed-permissions>
154        </rule>
155        <rule regex="/(static-assets|templates|scripts)/.*">
156            <allowed-permissions>
157                <permission>content_read</permission>
158                <permission>content_write</permission>
159                <permission>content_create</permission>
160                <permission>folder_create</permission>
161                <permission>publish</permission>
162                <permission>get_publishing_queue</permission>
163                <permission>cancel_publish</permission>
164                <permission>list_cmis</permission>
165                <permission>search_cmis</permission>
166                <permission>clone_content_cmis</permission>
167                <permission>upload_content_cmis</permission>
168                <permission>content_delete</permission>
169                <permission>get_children</permission>
170            </allowed-permissions>
171        </rule>
172        <rule regex="~DASHBOARD~">
173            <allowed-permissions>
174                <permission>content_read</permission>
175                <permission>publish</permission>
176                <permission>get_publishing_queue</permission>
177                <permission>publish_status</permission>
178                <permission>cancel_publish</permission>
179            </allowed-permissions>
180        </rule>
181        <rule regex=".*">
182            <allowed-permissions>
183                <permission>content_read</permission>
184                <permission>S3 Read</permission>
185                <permission>S3 Write</permission>
186                <permission>webdav_read</permission>
187                <permission>webdav_write</permission>
188                <permission>list_plugins</permission>
189                <permission>get_children</permission>
190                <permission>publish_status</permission>
191            </allowed-permissions>
192        </rule>
193    </role>
194    <role name="developer">
195        <rule regex="/.*">
196            <allowed-permissions>
197                <permission>content_read</permission>
198                <permission>content_write</permission>
199                <permission>publish</permission>
200                <permission>get_publishing_queue</permission>
201                <permission>cancel_publish</permission>
202                <permission>folder_create</permission>
203                <permission>content_create</permission>
204                <permission>Change Content Type</permission>
205                <permission>list_cmis</permission>
206                <permission>search_cmis</permission>
207                <permission>clone_content_cmis</permission>
208                <permission>upload_content_cmis</permission>
209                <permission>write_configuration</permission>
210                <permission>add_remote</permission>
211                <permission>list_remotes</permission>
212                <permission>pull_from_remote</permission>
213                <permission>push_to_remote</permission>
214                <permission>rebuild_database</permission>
215                <permission>remove_remote</permission>
216                <permission>site_status</permission>
217                <permission>resolve_conflict</permission>
218                <permission>site_diff_conflicted_file</permission>
219                <permission>commit_resolution</permission>
220                <permission>cancel_failed_pull</permission>
221                <permission>encryption_tool</permission>
222                <permission>get_children</permission>
223                <permission>publish_status</permission>
224                <permission>view_logs</permission>
225            </allowed-permissions>
226        </rule>
227        <rule regex="^/(?!site/website/index\.xml)(.*)">
228            <allowed-permissions>
229                <permission>content_read</permission>
230                <permission>content_delete</permission>
231            </allowed-permissions>
232        </rule>
233        <rule regex="~DASHBOARD~">
234            <allowed-permissions>
235                <permission>content_read</permission>
236                <permission>publish</permission>
237                <permission>get_publishing_queue</permission>
238                <permission>cancel_publish</permission>
239                <permission>write_configuration</permission>
240                <permission>add_remote</permission>
241                <permission>list_remotes</permission>
242                <permission>pull_from_remote</permission>
243                <permission>push_to_remote</permission>
244                <permission>rebuild_database</permission>
245                <permission>remove_remote</permission>
246                <permission>site_status</permission>
247                <permission>resolve_conflict</permission>
248                <permission>site_diff_conflicted_file</permission>
249                <permission>commit_resolution</permission>
250                <permission>cancel_failed_pull</permission>
251                <permission>encryption_tool</permission>
252                <permission>publish_status</permission>
253            </allowed-permissions>
254        </rule>
255        <rule regex=".*">
256            <allowed-permissions>
257                <permission>content_read</permission>
258                <permission>S3 Read</permission>
259                <permission>S3 Write</permission>
260                <permission>webdav_read</permission>
261                <permission>webdav_write</permission>
262                <permission>list_plugins</permission>
263                <permission>install_plugins</permission>
264                <permission>remove_plugins</permission>
265                <permission>get_children</permission>
266            </allowed-permissions>
267        </rule>
268    </role>
269    <role name="admin">
270        <rule regex="/.*">
271            <allowed-permissions>
272                <permission>content_read</permission>
273                <permission>content_write</permission>
274                <permission>publish</permission>
275                <permission>get_publishing_queue</permission>
276                <permission>cancel_publish</permission>
277                <permission>folder_create</permission>
278                <permission>content_create</permission>
279                <permission>Change Content Type</permission>
280                <permission>list_cmis</permission>
281                <permission>search_cmis</permission>
282                <permission>clone_content_cmis</permission>
283                <permission>upload_content_cmis</permission>
284                <permission>add_remote</permission>
285                <permission>list_remotes</permission>
286                <permission>pull_from_remote</permission>
287                <permission>push_to_remote</permission>
288                <permission>rebuild_database</permission>
289                <permission>remove_remote</permission>
290                <permission>write_configuration</permission>
291                <permission>site_status</permission>
292                <permission>resolve_conflict</permission>
293                <permission>site_diff_conflicted_file</permission>
294                <permission>commit_resolution</permission>
295                <permission>cancel_failed_pull</permission>
296                <permission>encryption_tool</permission>
297                <permission>get_children</permission>
298                <permission>publish_status</permission>
299                <permission>publish_clear_lock</permission>
300                <permission>unlock_repository</permission>
301                <permission>item_unlock</permission>
302                <permission>view_logs</permission>
303            </allowed-permissions>
304        </rule>
305        <rule regex="^/(?!site/website/index\.xml)(.*)">
306            <allowed-permissions>
307                <permission>content_read</permission>
308                <permission>content_delete</permission>
309            </allowed-permissions>
310        </rule>
311        <rule regex="~DASHBOARD~">
312            <allowed-permissions>
313                <permission>content_read</permission>
314                <permission>publish</permission>
315                <permission>get_publishing_queue</permission>
316                <permission>cancel_publish</permission>
317                <permission>add_remote</permission>
318                <permission>list_remotes</permission>
319                <permission>pull_from_remote</permission>
320                <permission>push_to_remote</permission>
321                <permission>rebuild_database</permission>
322                <permission>remove_remote</permission>
323                <permission>write_configuration</permission>
324                <permission>site_status</permission>
325                <permission>resolve_conflict</permission>
326                <permission>site_diff_conflicted_file</permission>
327                <permission>commit_resolution</permission>
328                <permission>cancel_failed_pull</permission>
329                <permission>encryption_tool</permission>
330                <permission>publish_status</permission>
331                <permission>publish_clear_lock</permission>
332                <permission>unlock_repository</permission>
333                <permission>item_unlock</permission>
334            </allowed-permissions>
335        </rule>
336        <rule regex=".*">
337            <allowed-permissions>
338                <permission>content_read</permission>
339                <permission>S3 Read</permission>
340                <permission>S3 Write</permission>
341                <permission>webdav_read</permission>
342                <permission>webdav_write</permission>
343                <permission>edit_site</permission>
344                <permission>list_plugins</permission>
345                <permission>install_plugins</permission>
346                <permission>remove_plugins</permission>
347                <permission>get_children</permission>
348                <permission>publish_status</permission>
349                <permission>item_unlock</permission>
350                <permission>start_stop_publisher</permission>
351            </allowed-permissions>
352        </rule>
353    </role>
354    <role name="reviewer">
355        <rule regex="/.*">
356            <allowed-permissions>
357                <permission>content_read</permission>
358                <permission>publish</permission>
359                <permission>get_publishing_queue</permission>
360                <permission>cancel_publish</permission>
361                <permission>get_children</permission>
362                <permission>publish_status</permission>
363            </allowed-permissions>
364        </rule>
365        <rule regex="~DASHBOARD~">
366            <allowed-permissions>
367                <permission>content_read</permission>
368                <permission>publish</permission>
369                <permission>get_publishing_queue</permission>
370                <permission>cancel_publish</permission>
371                <permission>publish_status</permission>
372            </allowed-permissions>
373        </rule>
374        <rule regex=".*">
375            <allowed-permissions>
376                <permission>content_read</permission>
377                <permission>S3 Read</permission>
378                <permission>webdav_read</permission>
379                <permission>list_plugins</permission>
380                <permission>get_children</permission>
381            </allowed-permissions>
382        </rule>
383    </role>
384    <role name="*">
385        <rule regex="/.*">
386            <allowed-permissions>
387                <permission>content_read</permission>
388                <permission>get_children</permission>
389                <permission>publish_status</permission>
390            </allowed-permissions>
391        </rule>
392        <rule regex=".*">
393            <allowed-permissions>
394                <permission>content_read</permission>
395                <permission>S3 Read</permission>
396                <permission>webdav_read</permission>
397                <permission>list_plugins</permission>
398                <permission>get_children</permission>
399                <permission>publish_status</permission>
400            </allowed-permissions>
401        </rule>
402    </role>
403</permissions>


Description

List of available permissions

Permission Description
add_remote User is permitted to add a remote repository
audit_log User is permitted to access the audit log
cancel_failed_pull User is permitted to cancel a failed pull from a repository
cancel_publish User is permitted to cancel a publish request
change content type User is permitted to change content type
clone_content_cmis User is permitted to clone content from a CMIS repository
commit_resolution User is permitted to commit resolution
content_create User is permitted to create new content
folder_create User is permitted to create new folder
create_cluster User is permitted to create cluster
create_groups User is permitted to create new groups
create_users User is permitted to create new users
create-site User is permitted to create projects
delete_cluster User is permitted to delete clusters
content_delete User is permitted to delete content
delete_groups User is permitted to delete groups
delete_users User is permitted to delete users
edit_site User is permitted to edit sites
encryption_tool User is permitted to access the encryption tool
get_children User is permitted to call getChildren* APIs for browsing project content
get_publishing_queue User is permitted to get the list of packages in the publishing queue
list_cmis User is permitted to list files and folders in a CMIS repository with an optional range for pagination
list_remotes User is permitted to list remote repositories for a project
publish User is permitted to approve submitted content for publishing or publish content
pull_from_remote User is permitted to pull content from remote repository to project content repository
push_to_remote User is permitted to push content to remote repository from project content repository
content_read User is permitted to read content
read_cluster User is permitted to read cluster
read_groups User is permitted to read groups
read_logs User is permitted to read logs
read_users User is permitted to read users
rebuild_database User is permitted to rebuild Crafter Studio’s database and object state with the underlying repository
remove_remote User is permitted to remove remote repository from project content repository
resolve_conflict User is permitted to resolve a conflict for a file by accepting ours or theirs
s3 read User is permitted to get a list of items from an S3 bucket
s3 write User is permitted to upload a file to an S3 bucket
search_cmis User is permitted to search files and folders in a CMIS repository with an optional range for pagination
site_diff_conflicted_file User is permitted to get the difference between ours and theirs for a conflicted file for a project
site_status User is permitted to get status of repository for a project
update_cluster User is permitted to update cluster
update_groups User is permitted to update groups
update_users User is permitted to update users
upload_content_cmis User is permitted to upload an asset file to CMIS repository
webdav_read User is permitted to get a list of items from a WebDAV server
webdav_write User is permitted to upload a file to a WebDAV server
content_write User is permitted to edit content
write_configuration User is permitted to write configuration content for project
write_global_configuration User is permitted to write global configuration content for Studio
list_plugins User is permitted to list installed plugins
install_plugins User is permitted to install plugins
/permissions/site/role@name
Role name
/permissions/site/role/rule@regex
Regular expression to filter paths where permission is applied. The value regex=”~DASHBOARD~” is a special regular expression applied for content displayed in dashboard widgets only
/permissions/site/role/rule/allowed-permissions/permission
Allowed permission for role and rule (possible values given in the table above)